SITE EXPERIENCE 


MIT 


D. ALVAREZ 
M. EiCHIN 
J. ROCHLIS 



TACTICAL/M AN AG BV1ENT ISSUES 

a 

O SMALL GROUPS 3 TO 5 + 
o PHYSICAL PROXIMITY 
o FUNCTIONAL BREAKDOWN 
COORDINATING 
PROTECTING 
RESEARCHING 

• INTERGROUP CONTACTS 

"OLD BOY NETWORK" 

TELEPHONES - CAREFUL OF I DSN 

• 16 HOURS TO COMMANDS POST 

• 3 HOURS TO SECURE (THANKS PETER YEE) 

• FEAR/MORALE/COCKPIT ERRORS 

• REPORTING KEY TO INTEGRATING- SECURITY COMMUNITY INTO SYSTEM 
MANAGER COMMUNITY 

• EMERGENCY BROADCAST NETWORK - 1200 BAND DIGITAL TAPE RECORDER 


DON ALVAREZ 



MIT SITE EXPERIENCES 


RSH 

REXEC 

TELNET (PROBE ONLY) 
FINGER BUG 
SENDMAIL DEBUG 




EXEC /BIN/SH 

I 

CREATE XNNN.C 
COMPILE IT 
RUN IT 

I 

VICTIM 'SH' 


MARK EICHIN 



MIT SITE EXPERIENCES 


JOHN ROCHLIS, MIT NETWORK GROUP 
MARK EICHIN, MIT PROJECT ATHENA 

• STUDENT INFORMATION PROCESSING BOARD 

• PROJECT ATHENA 'WATCHMAKERS' 

• MIT LAB FOR COMPUTER SCIENCE 

• MIT MEDIA LAB 


"THE INTERNET VIRUS OF NOVEMBER 3, 1988" 


MARK EICHIN 



MIT SITE EXPERIENCES 


/ETC/HOSTS. EQUIV 
/,/? HOSTS 



HOSTS LIST 


/ ROUTING TABLES 
\ INTERFACE LISTS 


USER NAME & PASSWORD •PERMUTATION OF USER NAMES 

<— • BUILT-IN DICTIONARY 

•/USR/DIOTWORDS 


FILE/. FORWARD 
.FILE/.RHOSTS 


MARK EICHIN 




Dan XI varan 

MIT center ror space Researcn 


fcaomar _mit .sxlu 
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Observations on_t to rpan Virus at MIT 


i. Work, was performed primarily by small, isolated groups. 

Three to five members seems typical. 

1 jroups seem :o form first ’ey physical proximity, then connect 
onaer groups tnrouyti 'old boy network' 


Groups seem to break along functional lines: 

Coordinating and oommumcating information. 

Protecting and iisim'eotmg machines, 

Researching and disassembling virus. 

Most sites were able to isolate and secure their machines in about 
three hours after receipt of Peter Tee's message. 
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ie little effort to contact government, etc. until •suite late. 

Mina: inter-group communications primarily over telephones 
f,r;> later icmmumcaticns oossible b” comouter mail 



•17 a vacuum 
iid not try v. : 



mnecessarv vet 
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;• st id hours before any kmc of central command post 

was set up at MIT. Post came about largely when two very 
competent groups began working on disassembly of virus and 
needed to pool resources. 

Most sites seemed to have expected (and experienced ) relapses due 
to incomplete inoculation, but were not concerned by this. 

Group members seemed to be hit by fear only when the virus 

reinfected supposedly "safe” machines long after the threat 
was believed over (as with the finger daemon attacks). The 
illusion of security was shattered. 
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faoomariiicftooo mit.&4u 

(617)253-7457 


Don Alv«r®a 

MIT Center for Space Research 


sm _ ions for the the Future 


1 . Safe use of telephones is essential. Information on the virus could 
not have been transmitted between workers without them. 
Wised voice/data systems make cleanup much more difficult 

and dangerous 

Greater mising between system managers and government security 
professional is necessary if a nationally coordinated 
response is to be possible m the future. Most system managers 
don't know any security professionals, and hence can not 
include them m their "old boy network" 

A two-pronged, time-delayed attack would be extremely 

demoralizing, particularly if the second attack was timed to hit 
iust when groups were disbanding and felt a sense of 
confidence and security from their work. 


A computer equivalent of the Emergency Broadcasting Network 

: >uld be emremeiy important. Peter Tee’s message ■ea.s 
probably the single most decisive factor in a timely response *c 
this virus Suppose UUNET had gone down. The emergent” 
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minuting :r; a digital tape recorder containing audi. 

.... •••••••'.-: • ■ p ■-f baud This solution vtuid t- much 

cheaper than an equivalent bank of modems and less 
susceptible to hacking). Users would be able to upload system 
parches and code from this clearing house m a timer/ manner 
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